The days of directly connecting to the Internet and Web browsing are quickly coming to a close. Just seven short years ago, it seemed as if everyone had a modem on their personal or business machine and established a direct dial-up connection with their ISP. Now, everyone from home users and small businesses to medium and large corporate networks uses some sort of intermediary to access the Internet.

The type of intermediary depends on the needs and the pocketbook of the individual or business connecting to the Internet. Most home networks and small businesses use a simple Network Address Translation (NAT) server. Medium and large-size businesses use a proxy server. However, even small businesses are realizing the benefits of using a more powerful proxy server solution to speed up connections and allow for access control.

Because networks are connecting to the Web through proxy services, you have to know how to configure the browser so that it works with the proxy server. In this Daily Feature, we’ll look at the configuration options in Internet Explorer 5.5 that you use to connect to the Web through a Web proxy server. We’ll also examine some special client configuration scenarios involving RAS clients where the settings might be different than you expect.

Web proxy clients on the internal network
When a browser on the LAN is configured to use the Web proxy service to gain access to the Internet, the client is referred to as a Web proxy client. To access the Web proxy client configuration options in Internet Explorer 5.5, perform the following steps:

  1. 1.      Open Internet Explorer, click on the Tools menu, and then click on the Options command.
  2. 2.      In the Internet Options dialog box, click on the Connections tab (Figure A). In the Dial-up Settings frame, choose the Never Dial A Connection option. You never want to create a dial-up connection while a computer is on the corporate network because it opens up the possibility of Internet intruders compromising your internal network through the dial-up link.
  3. 3.      Click on the LAN Settings button. This opens the Local Area Network (LAN) Settings dialog box (Figure B).

Figure A
Examining the Connections dialog box

Figure B
These options give you control over how the browser works with the Web proxy service.

There are several options in this dialog box that allow control over how the browser works with the Web proxy service. These options include:

  • ·        Automatically Detect Settings
  • ·        Use Automatic Configuration Script
  • ·        Use A Proxy Server
  • ·        Bypass Proxy Server For Local Addresses

Let’s take a closer look at each of these options.

Automatically Detect Settings
Internet Explorer supports automatic configuration of the browser. Browser autoconfiguration allows computers to plug in to the network and automatically connect to the Web proxy service. All of this is accomplished without requiring an administrator to manually configure the browser.

Automatic configuration is accomplished through the use of the Web Proxy Auto-Discovery (WPAD) protocol. This protocol works with DNS and/or DHCP servers to provide information to the browser. Autoconfiguration settings are obtained from a central site that all browsers on the network can access.

In order for the browser to automatically detect settings, two things must be in place:

  • ·        A DNS or DHCP entry to support WPAD queries
  • ·        An Autoconfiguration file containing information needed to configure the browser

Both DNS and DHCP can be used to inform the browser of the location of the autoconfiguration information. To configure a DNS server to support WPAD queries, you must create a Host (A) resource record on the DNS server that includes the IP address of the Web proxy server. After creating the A record, you create an Alias or CNAME record pointing to that host. The Alias for the WPAD entry is wpad. For example, if the FQDN for the Web proxy server were, the alias for the machine would be

You can test your alias by using the nslookup command. At the command prompt, type in the command nslookup press [Enter]. You should see the name resolved to the IP address of your proxy server, as shown in Figure C.

Figure C
Testing the WPAD entry using nslookup

Nslookup and FQDNs

Note that you must include the trailing period at the end of the nslookup query. If you do not include the trailing period, the query will append the local host’s domain name, which may lead to an erroneous result.

If you wish to use DHCP to support autoconfiguration, you need to create a new DHCP option. The option name is WPAD, and the option code is 252. This option type requires a data string that should be in this format.

When you look at the option properties in the DHCP console, you’ll see something like what appears in Figure D.

Figure D
Confirming the WPAD DHCP option so you can use DHCP support

You can use either DNS or DHCP entries. One advantage of DHCP is that you can set a server option and have the WPAD entries apply to all scopes handled by the server. If you choose to use DNS WPAD entries, you must create the WPAD Alias Resource Record in each domain where you want the entry available.

Proxy configuration on Active Directory networks

If your Web proxy clients are members of an Active Directory domain, you can take advantage of Group Policy to assign all of the Web proxy client configuration options. A single Web proxy configuration can be applied to all computers in the domain, or you can apply different configurations for different OUs or Sites.

Use Automatic Configuration Script
You can create an Autoconfiguration script or use a script provided by your Web proxy server. The Autoconfiguration script provides special instructions to the browser. For example, if you choose to use the Autoconfiguration script provided by Microsoft Proxy Server 2.0 or Microsoft ISA Server 2000, the Web proxy client will be able to take advantage of the Cache Array Routing Protocol (CARP). CARP provides for fault tolerance and load balancing of Web requests from Web proxy clients configured to use the Autoconfiguration script. For detailed information on CARP, click here.

Use A Proxy Server
Select this option if you wish to manually configure the browser. You can enter the IP address or the computer name of the Web proxy server. If you use a computer name, make sure that the name can be resolved. If all machines are on the same segment as the internal interface of the Web proxy server, then NetBIOS broadcast queries can resolve an unqualified name. If machines are remote from the internal interface of the Web proxy server, then you need to have a name resolution mechanism such as WINS or DNS in place.

Enter the port number that the Web proxy service uses to listen for Web proxy client requests. Microsoft Proxy 2.0 uses port 80; Microsoft ISA Server and most Squid servers use port 8080. The port number must be entered.

The Bypass Proxy Server For Local Addresses option is selected when you wish the browser to bypass the proxy server when accessing clients on the internal network. The assumption is that you will use an unqualified name to access local resources and fully qualified names to access Internet resources. This option applies only to names that do not have periods in them. It does not apply to partially qualified names.

You can fine-tune your manual configuration by clicking the Advanced button. You will see the Proxy Settings dialog box, as shown in Figure E.

Figure E
Configuring advanced Web proxy client options

By default, the Use The Same Proxy Server For All Protocols option is selected. If you wish to use other servers or ports for different Web protocols, you can deselect this option and create individual entries for each protocol.

The Exceptions frame allows you to customize the addresses that will bypass the Web proxy service. You can use wildcard entries in the text box that will allow you to bypass the Web proxy service for all machines on your internal domain or for any domain of your choice. Note that bypassing the Web proxy service does not allow you to circumvent the security configuration on the Web proxy server. If you enter an external domain and the client is denied access to the external domain in the Web proxy service configuration, the client will still not have access to the denied domain.

Configuring RAS clients to use the Web proxy server
Remote Access clients that need to use the internal network’s Web proxy service are configured a little differently. To configure a RAS client to use the internal network’s Web proxy service, perform the following steps:

  1. 1.      Open Internet Explorer, click the Tools menu, and then click the Internet Options command. Click on the Connections tab.
  2. 2.      In the Dial-up Settings frame, select the connection you use to connect to a direct dial-in RAS server or VPN server and click the Setting button.
  3. 3.      The ISP Settings dialog box for the connection appears, as shown in Figure F. Configure the dial-up client to use the appropriate configuration options.

Figure F
You must use this configuration box on browsers that detect the difference between a dial-up and a LAN connection.

Dial-up connections and the Automatically Detect Settings option

Your dial-up clients will not be able to directly communicate with an internal DHCP server. If you wish to allow direct dial-up or VPN clients to obtain DHCP Options for the DHCP server, you will have to configure a DHCP Relay Agent on the Windows 2000 RAS Server.

An increasing number of Web browsers are connecting to the Internet through a Web proxy server. Because of this trend, browsers must be configured to use the Web proxy service. The Web browser can be changed to use the Web proxy service automatically, or you can configure the browser manually. Also, special configuration options are required for dial-up clients to use the internal network’s Web proxy server.